chore: replace the base image UBI-minimal by UBI-micro #6662
Conversation
UBI-micro has a few advantages compared to UBI-minimal: - smaller attack surface - no package manager - size Signed-off-by: Frederic Giloux <frederic.giloux@isovalent.com>
|
Why not UBI 9 micro instead? |
|
@herrberk because UBI 8 minimal was in use before. I am not against moving from 8 to 9 but this PR is about moving from minimal to micro. |
| ENV GO_VERSION 1.19 | ||
|
|
||
| ARG TARGETARCH | ||
| RUN microdnf install -y make gcc which tar gzip | ||
| RUN curl -sSLo /tmp/go.tar.gz https://golang.org/dl/go${GO_VERSION}.linux-${TARGETARCH}.tar.gz \ | ||
| && rm -rf /usr/local/go \ | ||
| && tar -C /usr/local -xzf /tmp/go.tar.gz \ | ||
| && ln -sf /usr/local/go/bin/* /usr/local/bin/ \ | ||
| && rm -f /tmp/go.tar.gz \ | ||
| && go version |
There was a problem hiding this comment.
Could you elaborate on why this was removed?
I believe that Go is required to be present in the final image due to the go plugin running things like go mod tidy at the end of scaffolding of files. Without Go being present in the final image, using this image will fail to scaffold Go based operator projects.
I believe that the ubi micro images don't include a package manager so we might be able to COPY --from=builder ... the necessary stuff to have Go "installed" in the final image.
There was a problem hiding this comment.
That should be removed from the runtime not the builder image. go mod tidy should be run at build time in the builder image. Is that not the case?
If I understand you correctly you are saying that the same image is used for build and run time. If that's the case it should get split for introducing UBI-micro. Adding golang, tar would kill the purpose (reducing the attack surface) of the exercise.
There was a problem hiding this comment.
go mod tidy should be run at build time in the builder image. Is that not the case?
The go mod tidy operation that I am referring to is run as part of the scaffolding logic that gets run when you are creating a new Go based operator project using operator-sdk init .... Due to this, Go must be installed in the final image.
There was a problem hiding this comment.
I am probably missing the target. For golang operator there is in kubebuilder:
FROM gcr.io/distroless/static:nonroot
this gets replaced in operator-sdk so that operator-sdk init generates (without removing the comment about distroless :-) )
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8
This is where I would like to see ubi-micro.
There was a problem hiding this comment.
That replacement should only occur in an operator scaffolded with the OpenShift version of the operator-sdk and not the community (operator-framework) version of the operator-sdk.
| @@ -1,4 +1,4 @@ | |||
| FROM registry.access.redhat.com/ubi8:8.7 | |||
| FROM registry.access.redhat.com/ubi8/ubi-micro:8.9 | |||
There was a problem hiding this comment.
does ubi-micro include the tar command? scorecard uses this image in container within a Pod for untaring bundle contents using the tar command. Without the tar command present in this image, I believe scorecard will always fail.
There was a problem hiding this comment.
Maybe we should not migrate scorecard to UBI-Micro. It is not that important as it does not end up as a base image of the end product operator.
To answer your question: tar is not included in ubi-micro.
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci
bot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
|
@openshift-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Description of the change:
This pull request replaces the base image, which is used for operator images. It introduces UBI-micro instead of UBI-minimal.
Motivation for the change:
UBI-micro has a few advantages compared to UBI-minimal:
Fixes #6652